Firewall Wizards mailing list archives
Re: Acqusition of time
From: "Paul D. Robertson" <proberts () patriot net>
Date: Wed, 29 Jan 2003 10:53:38 -0500 (EST)
On Wed, 29 Jan 2003, Brian Monkman wrote:
Folks - I'm having a discussion with a few people and we have a question that we are interested in getting comments from the list on. Are there any situations where a firewall's acqusition of time could/should be from a network time source? Not necessarily a public source, it could be an "internal" time source.
Could be, sure.
If there are situations where this makes sense, should these same firewalls have battery backed up clocks on board or would that be unnecessary?
Imagine you had some SQL servers which got hit with a worm that propogated, and you allowed all outbound traffic. Let's say the worm generated enough traffic to fill up the state table on the firewall, and due to a bug it ended up rebooting. Now, the internal network flood is still going on. An attacker decides to take advantage of the mayhem to launch a real attack against you, and the NTP server isn't reachable because the switch it's sitting on has 8 vulnerable neighbors plugged into it.... What time gets written to the logs when the attack commences? Worse yet, let's say it's protecting a small business or a home and doesn't have all the good constant power that we tend to see in large companies... While I've often said that it's a good thing to be able to take a cheap GPS and add a stratum 1 timeserver to a network, any time you add an external dependency, you really, really need to think through the scenerios, especially if you're going to have to take log files to court. Paul ps: Posting from home doesn't improve your odds ;) ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- Acqusition of time Brian Monkman (Jan 29)
- Re: Acqusition of time R. DuFresne (Jan 29)
- Re: Acqusition of time Paul D. Robertson (Jan 29)
- Re: Acqusition of time Volker Tanger (Jan 29)
- Re: Acqusition of time Charles W. Swiger (Jan 29)
- Re: Acqusition of time Luis Bruno (Jan 29)
- Re: Acqusition of time Charles W. Swiger (Jan 29)
- Re: Acqusition of time Luis Bruno (Jan 29)
- <Possible follow-ups>
- RE: Acqusition of time Noonan, Wesley (Jan 29)
- RE: Acqusition of time dave (Jan 29)
- RE: Acqusition of time Paul D. Robertson (Jan 29)
- RE: Acqusition of time dave (Jan 29)
- RE: Acqusition of time Paul D. Robertson (Jan 29)
- RE: Acqusition of time dave (Jan 29)
- RE: Acqusition of time dave (Jan 29)